2023-09-19 //
4 min read
//
#buildkite
#hashicorp-vault
Earlier this year, Buildkite announced support for OpenID Connect tokens. Briefly, a Buildkite agent can request a signed JWT (JSON Web Token) from Buildkite representing details (claims) about its current job. This JWT can then be used to authenticate with systems that accept it.
For Hashicorp Vault, services typically authenticate using the AppRole method with a senstive set of credentials. It’s fine to use this flow on a Buildkite agent to access Vault secrets, but the credentials for this are long-lived.
The new OIDC flow removes to need to manage these long-lived credentials, and also makes it possible to craft fine-grained policies for a Buildkite agent without requiring multiple sets of login credentials!
Read more →
2023-07-17 //
4 min read
//
#buildkite
For a while now, I’ve built and published my own Terraform provider for retrieving secrets from a pass store. One of the requirements to publish a Terraform provider is that every release must be signed with a GPG key.
I have a Buildkite pipeline to build and publish these releases to GitHub. A step in this pipeline has access to a private key for signing, but it’s a different key from the one I use on my own machine. I consider the latter too sensitive to expose freely to my Buildkite agents.
With that said, managing a second key just to publish my Terraform provider is quite irksome when it has no other use for me. However, it’s unfortunately necessary if I don’t want to expose my regular key to my CI environment.
But if the worry is around exposing a secret to Buildkite agents running outside my machine, why not introduce an agent that runs specifically on my machine?
Read more →
I could do it, I didn't stop to think whether it should be done
2020-10-16 //
7 min read
//
#automation
#buildkite
#ios-shortcuts
For a while now, I’ve been automatically sending out my newsletter as a part of the deployment process for my website. It’s a great convenience that means I can focus on writing and publishing new content, instead of worrying about generating and delivering actual emails.
In my current setup, I’m able to preview newsletters from my inbox before they’re delivered to my readers. If I think one is good to go, I can hit the big red button to send it out!
While pressing this “big red button” only takes a half-dozen clicks in a web UI, I’d love if it was just that little bit easier on my end. So that’s what I set about improving today!
Read more →
With a little help from Buildkite, Mailgun and Cloudflare!
2020-03-22 //
6 min read
//
#automation
#buildkite
#cloudflare
#mailgun
For the last while I’ve been collecting interesting articles, videos and music albums that I’ve liked into a newsletter. As a next step, I decided that I’d like to start emailing this newsletter out to a list of subscribers.
Going down the more challenging path that I always follow, I decided to roll my own system as a learning experience.
Read more →
Buliding a service to validate Buildkite pipeline files
2019-12-27 //
11 min read
//
#buildkite
So I’ve been using Buildkite a bit lately and loving it. Last weekend I had the thought of building a service to validate the pipeline.yml
files it uses for configuration.
Read more →